In the revisions to PCI DSS, now on version 3.0, the PCI Security Council added a note to Requirement 6.3, extending the secure software development mandate to include all custom, third-party developed software. At Veracode, we’ve been talking about the need to secure your third-party code for quite some time now, so we’re excited to see such a widespread standard such as PCI DSS require this level of testing. The note to 6.3 recognizes that most enterprises leverage third-party software in one way or another. Whether you’re using a third-party platform or third-party components as a starting point, buying from a commercial vendor or SaaS provider, or just skipping the entire process and contracting a third-party to develop the software for you, this extension underscores the importance of securing all stages of the SDLC, and not introducing vulnerabilities to your applications by assuming a third-party will have done the same. Everyone is a target. Veracode’s patented binary static application security testing (SAST) is the best approach to ensuring your third-party code is up to the challenge of, at the very least, a PCI audit. Scanning at the binary level means there’s no threat to your intellectual property, making it even easier to bring any software vendors on board during their development process, rather than in production. Once those vulnerabilities go live, the time and cost of remediation can skyrocket, as does the impending risk of down time. Vendors simply upload their application(s) to our platform and we will scan the binaries to produce a complete set of identified flaws. The results also show the vendor’s overall compliance to whichever policy has been assigned – in this case PCI DSS 3.0. You’re able to review any potential vulnerabilities that would cause the application to fall out of compliance, you can then pursue remediation or mitigation efforts with the vendor and Veracode, so you can move forward with development and/or release.
That’s the peace of mind we love to offer: when you’re doing application security right, audit time is just a thing that happens so you can report that your application security process is awesome. Remember to roll with the punches, not take them in the face. It always hurts the most when you don’t see it coming, and with PCI revisions like this, there’s no excuse to not be testing. Keep fighting the good fight!